Cluster Security Monitoring Tools: Difference between revisions

From DISI
Jump to navigation Jump to search
(A few commands were under the wrong description. Reordered and clarified commands)
 
(2 intermediate revisions by the same user not shown)
Line 62: Line 62:


==COMMON COMMANDS FOR FAIL2BAN==
==COMMON COMMANDS FOR FAIL2BAN==
Ask users to get their IP Address from this website (top left corner): http://blaster.docking.org/cgi-bin/myquotas.pl


To unban a single ip address:
To ignore a single IP address
fail2ban-client set ssh-iptables addignoreip XXX.XXX.XXX.XXX
 
To remove IP address from ignore list
  fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX
  fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX


  fail2ban-client set ssh-iptables unban x.y.z.w
To unban a single ip address:
 
  fail2ban-client set ssh-iptables unbanip x.y.z.w


To ban a single ip address:
To ban a single ip address:
  fail2ban-client set ssh-iptables addignoreip XXX.XXX.XXX.XXX
  fail2ban-client set ssh-iptables banip x.y.z.w
 
fail2ban-client set ssh-iptables ban x.y.z.w


To see a list of ip addresses that are in jail:
To see a list of ip addresses that are in jail:

Latest revision as of 19:14, 8 April 2017

Check and see if sendmail already exists in /etc/rc.d/init.d/ already.

# Only if sendmail is not already installed
yum install logwatch fail2ban sendmail 
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
vim /usr/share/logwatch/default.conf/logwatch.conf
       Change "Print=" to "Print=No"
       Make sure that "MailTo=root" and "range=yesterday"
       exit
echo "logwatch@blur.compbio.ucsf.edu" > /root/.forward
service sendmail start
logwatch
       Check to see if you got an email from logwatch. If not, type:
       logwatch --mailto logwatch@blur.compbio.ucsf.edu
chkconfig --levels=345 sendmail on
chkconfig --levels=345 logwatch on

FAIL2BAN

If fail2ban is not already in the yum repository: FOR CENTOS 5.X:

               cd /etc/yum.repos.d/
               wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
               rpm -Uvh epel-release-5-4.noarch.rpm
               yum update

FOR CENTOS 6.X:

               cd /etc/yum.repos.d/
               wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
               rpm -Uvh epel-release-6-8.noarch.rpm
               yum update

FOR CENTOS 6.X and 5.X:

cd /etc/fail2ban
cp jail.conf jail.local
vim jail.local
       

FOR TORONTO:

       ignoreip = 127.0.0.1/8 169.230.0.0/16 142.150.0.0/16 10.10.0.0/16
       FOR SF:
       ignoreip = 127.0.0.1/8 169.230.0.0/16 142.150.0.0/16 10.0.0.0/16 10.100.0.0/16 10.10.0.0/16
       bantime = 6000000000
       findtime = 3600
       maxretry = 5
       backend = polling
       Under the "[ssh-iptables]" label:
       Make sure that enabled = true
       For the "action" variable, make sure you change the sender to
       sender=fail2ban@whatever_the_hostname_is_.uoft.bkslab.org

To get rid of the annoying messages that get printed to the console:

vim /etc/fail2ban/fail2ban.conf
logtarget = /var/log/secure
service fail2ban start
chkconfig --levels=345 fail2ban on


COMMON COMMANDS FOR FAIL2BAN

Ask users to get their IP Address from this website (top left corner): http://blaster.docking.org/cgi-bin/myquotas.pl

To ignore a single IP address

fail2ban-client set ssh-iptables addignoreip XXX.XXX.XXX.XXX

To remove IP address from ignore list

fail2ban-client set ssh-iptables delignoreip XXX.XXX.XXX.XXX

To unban a single ip address:

fail2ban-client set ssh-iptables unbanip x.y.z.w

To ban a single ip address:

fail2ban-client set ssh-iptables banip x.y.z.w

To see a list of ip addresses that are in jail:

iptables -L -n